SSTI in the wild
We'll review some reported SSTI vulnerabilities; they're using different template engines, so remember the examples we have seen when we read them.
Uber Jinja2 TTSI
On April 6, 2016, a bug bounty hunter named Orange Tsai published an SSTI vulnerability in the Uber application, which used the Flask Jinja2 template engine.
Orange Tsai entered, in the Name
field, located in the Profile
section in rider.uber.com, these numbers to be evaluated:
{{ '7'*7 }}
When he accepted the change, the application sent an email and, in the email's body, there appeared 7777777
, the result:
Also, in the Uber application, the name of the user changed, showing how valid the action was:
So, he entered the following Python code:
{{ '7'*7 }} {{ [].class.base.subclasses() }} # get all classes {{''.class.mro()[1].subclasses()}} {%for c in [1,2,3] %}{{c,c,c}}{% endfor %}
The result was that he could extract all of the information about the currently running instance:
The tip you can use to detect this kind of...